April 2, 2013

XMPP federation over Tor hidden services


Suppose you’re trying to chat with your friends in a totalitarian country and you want the government to learn as little as possible about you and your friends. How can you achieve that?

Existing chat networks

iMessage is run by Apple. Google Talk by Google. Skype by Microsoft. All these companies have been alleged to cooperate with the NSA in their PRISM spying program. This means the US government is able to read every message sent, know who talks to whom and how much two people talk. Many people have mentioned OTR and Tor against this dragnet surveillance, yet in my opinion both options do not offer the privacy I want.

OTR

Off-the-record encryption is a protocol designed for instant messaging. Using OTR in a conversation will encrypt all the messages sent, making it impossible for the server (or anyone else with access to the server) to read the contents. By securely exchanging fingerprints or by using a secret question users can verify that their chat partner is who they think (s)he is.

Yet this only solves part of the original goal: the server might not know what two people talk about, they do know that those two people talk, how much and when. This still gives the server the meta-data, which is exactly the information Verizon is alleged to have handed over and still an invasion of privacy.

Tor

To make it harder for the server to know where you are connecting from (which in many cases can give it a pretty good idea about who you are) you could start using Tor. Tor routes your connection through multiple different intermediate computers, making it very difficult to trace your connection back to you. If you, and all your friends, make sure to always use Tor when chatting then it will be hard for your totalitarian government to figure out who you are chatting with.

Make sure to create new accounts, otherwise you won’t benefit from the anonymity. If only one person in the group deletes his personal account and starts using Tor with all his old contacts, the government can easily guess who the new account belongs to.

Note that the server can see that there is a group of people always using OTR and Tor, which will stand out. The government might not immediately know who every account belongs to, but comparing the intensity and timing of chats to the old accounts might make it possible to uncover everyone.

Federation

One of the key strengths of the Extensible Messaging and Presence Protocol (XMPP), the protocol used by jabber.org and similar services, is federation. Similar to email, there isn’t a single server and so also not a single company that runs the network. Anyone can add a new server: in less than an hour, you could be running your own XMPP server.

You could apply this to make spying on you harder: by picking different servers in different jurisdictions you can ensure there isn’t a single server that knows the size of your group and the frequency of communications within the group.

However, all companies are coercible. If not by legal force, then the NSA (or equivalent) might try infiltrating or hacking that server. This just increases the amount of time it takes for your government to gain access.

Tor+federation

One lesser known feature of Tor are hidden services. A user of Tor can set up a server that runs completely inside the Tor network, with a hostname ending in .onion. Users connecting to that host will be guaranteed they are connected to the right host (the server can prove it owns that .onion address), yet the owner of the host will be completely anonymous. Nothing in the protocol will reveal the computer the server runs on.

So here comes what I’ve been working on: federation between hidden services. There are a handful of XMPP servers that also offer a hidden service (for instance, jabber.ccc.de is also reachable as okj7xc6j2szr2y75.onion), but that uses Tor only for the client’s connection.

My goal is to allow users on abcdefghijklmnop.onion to chat with users on zyxwvutsrqponmlk.onion entirely through the Tor network. If everyone installed a local, Tor-federated XMPP server, maybe as a plugin for Adium or Pidgin, then all communication would become very difficult to trace. It can be totally decentralized: no third-parties are needed for two people to chat. No third parties know anything more about the occurrence of chats or the links between people. New identities can be created in seconds. All of this while still supporting many of the features of XMPP: any normal XMPP client with Tor support can be used.

mod_onions

The current status is a plugin for the XMPP server Prosody. It’s a great server which is easy to set up and customize. The plugin can be found here, but note that it requires the unreleased version 0.9 of Prosody (there is a rc2 available).

The plugin doesn’t restrict federation to stay inside Tor: a normal public server can also enable it to allow its users to communicate to hidden servers (if that server allows that).

If you want to test it, you can reach me on me@2keehwlgbekr2ft6.onion, or join the group chat on mod_onions@o2o62e3u5ezzac6u.onion. :)

Security considerations

Please keep the following in mind:

  • This code is in “Proof of concept”-stage. It hasn’t been reviewed by anyone and should not be relied upon for strong anonymity.
  • Federating with an XMPP server that is not available 100% of the time can lead to issues. Don’t expect offline messages to work, authorization requests might need to be resent when a server wasn’t available when the contact was added, etc.
  • It’s slow. Tor itself might not be that bad, but, for example, a hidden group chat server can require 5 different Tor-connections to work.
  • TLS doesn’t offer much extra security beyond what Tor offers hidden services, so can be turned off (unless there’s a CA out there that hands out certificates for .onion hosts…).